diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2d480c2..8367fff 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
         with:
           results_file: results.sarif
           results_format: sarif
@@ -47,7 +47,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: SARIF file
           path: results.sarif
@@ -56,6 +56,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9173ffe..e84d672 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -62,9 +62,6 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         persist-credentials: false
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 22
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       id: sp
@@ -142,9 +139,6 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         persist-credentials: false
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 22
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       id: sp
@@ -225,9 +219,6 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         persist-credentials: false
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 22
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       id: sp
diff --git a/.github/workflows/update_coc.yml b/.github/workflows/update_coc.yml
index f412dc2..77d9d95 100644
--- a/.github/workflows/update_coc.yml
+++ b/.github/workflows/update_coc.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Fetch CODE_OF_CONDUCT.md from django-commons
         run: |
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 369e001..20d19d4 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -4,7 +4,8 @@ on:
   push:
     branches: [ main ]
   pull_request:
-    branches: [ main ]
+    paths:
+      - ".github/workflows/**/*.yml"
   schedule:
     # Run weekly
     - cron: '0 0 * * 0'
@@ -28,24 +29,36 @@ jobs:
           persist-credentials: false
 
       - name: Set up Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1
-
+        uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98
+      - name: Install jq
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
       - name: Install Zizmor
         run: |
           cargo install --locked zizmor
 
       - name: Run Zizmor analysis
         run: |
-          zizmor --format sarif .github/workflows/ > results.sarif
+          zizmor --format sarif .github/workflows/ > zizmor.sarif
 
       - name: Upload analysis results
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: zizmor-results
-          path: results.sarif
+          path: zizmor.sarif
           retention-days: 7
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
         with:
-          sarif_file: results.sarif
+          sarif_file: zizmor.sarif
+
+      - name: Fail on Findings
+        run: |
+          count="$(
+            jq '([.runs[]? | (.results // [])[] | select(.level != "note")] | length) // 0' \
+              zizmor.sarif
+          )"
+          echo "Zizmor findings: $count"
+          test "$count" -eq 0
diff --git a/.gitignore b/.gitignore
index 4bb8010..ccc51c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -159,3 +159,4 @@ cython_debug/
 /render_static/tests/examples/static
 requirements.txt
 uv.lock
+zizmor.sarif
diff --git a/doc/.readthedocs.yaml b/doc/.readthedocs.yaml
index 160fdea..34c28f6 100644
--- a/doc/.readthedocs.yaml
+++ b/doc/.readthedocs.yaml
@@ -20,3 +20,7 @@ build:
 # Build documentation in the docs/ directory with Sphinx
 sphinx:
    configuration: doc/source/conf.py
+   
+# Optionally build your docs in additional formats such as PDF and ePub
+formats:
+  - pdf
diff --git a/doc/source/conf.py b/doc/source/conf.py
index e71aff8..c8c901d 100644
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -74,6 +74,8 @@
 # so a file named "default.css" will overwrite the builtin "default.css".
 html_static_path = []
 
+latex_engine = 'xelatex'
+
 todo_include_todos = True
 
 # js_source_path = (
diff --git a/doc/source/index.rst b/doc/source/index.rst
index de15ccf..aba8e17 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -2,53 +2,55 @@
 Introduction
 ============
 
-.. image:: https://img.shields.io/badge/License-MIT-blue.svg
-   :target: https://lbesson.mit-license.org/
-   :alt: License: BSD
-
-.. image:: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json
-   :target: https://github.com/astral-sh/ruff
-   :alt: Ruff
-
-.. image:: https://badge.fury.io/py/django-render-static.svg
-   :target: https://pypi.python.org/pypi/django-render-static/
-   :alt: PyPI version
-
-.. image:: https://img.shields.io/pypi/pyversions/django-render-static.svg
-   :target: https://pypi.python.org/pypi/django-render-static/
-   :alt: PyPI pyversions
-
-.. image:: https://img.shields.io/pypi/djversions/django-render-static.svg
-   :target: https://pypi.org/project/django-render-static/
-   :alt: PyPI Django versions
-
-.. image:: https://img.shields.io/pypi/status/django-render-static.svg
-   :target: https://pypi.python.org/pypi/django-render-static
-   :alt: PyPI status
-
-.. image:: https://img.shields.io/pypi/types/django-render-static.svg
-   :target: https://pypi.python.org/pypi/django-render-static
-   :alt: PyPi Typed
-
-.. image:: https://readthedocs.org/projects/django-render-static/badge/?version=latest
-   :target: http://django-render-static.readthedocs.io/?badge=latest/
-   :alt: Documentation Status
-
-.. image:: https://img.shields.io/codecov/c/github/bckohan/django-render-static/main.svg
-   :target: https://codecov.io/github/bckohan/django-render-static?branch=main
-   :alt: Code Coverage
-
-.. image:: https://github.com/bckohan/django-render-static/actions/workflows/test.yml/badge.svg?branch=main
-   :target: https://github.com/bckohan/django-render-static/actions/workflows/test.yml?query=branch:master
-   :alt: Test Status
-
-.. image:: https://github.com/bckohan/django-render-static/actions/workflows/lint.yml/badge.svg?branch=main
-   :target: https://github.com/bckohan/django-render-static/actions/workflows/lint.yml?query=branch:master
-   :alt: Lint Status
-
-.. image:: https://img.shields.io/badge/Published%20on-Django%20Packages-0c3c26
-   :target: https://djangopackages.org/packages/p/django-render-static/
-   :alt: Published on Django Packages
+.. only:: html
+  
+  .. image:: https://img.shields.io/badge/License-MIT-blue.svg
+    :target: https://lbesson.mit-license.org/
+    :alt: License: BSD
+
+  .. image:: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json
+    :target: https://github.com/astral-sh/ruff
+    :alt: Ruff
+
+  .. image:: https://badge.fury.io/py/django-render-static.svg
+    :target: https://pypi.python.org/pypi/django-render-static/
+    :alt: PyPI version
+
+  .. image:: https://img.shields.io/pypi/pyversions/django-render-static.svg
+    :target: https://pypi.python.org/pypi/django-render-static/
+    :alt: PyPI pyversions
+
+  .. image:: https://img.shields.io/pypi/djversions/django-render-static.svg
+    :target: https://pypi.org/project/django-render-static/
+    :alt: PyPI Django versions
+
+  .. image:: https://img.shields.io/pypi/status/django-render-static.svg
+    :target: https://pypi.python.org/pypi/django-render-static
+    :alt: PyPI status
+
+  .. image:: https://img.shields.io/pypi/types/django-render-static.svg
+    :target: https://pypi.python.org/pypi/django-render-static
+    :alt: PyPi Typed
+
+  .. image:: https://readthedocs.org/projects/django-render-static/badge/?version=latest
+    :target: http://django-render-static.readthedocs.io/?badge=latest/
+    :alt: Documentation Status
+
+  .. image:: https://img.shields.io/codecov/c/github/bckohan/django-render-static/main.svg
+    :target: https://codecov.io/github/bckohan/django-render-static?branch=main
+    :alt: Code Coverage
+
+  .. image:: https://github.com/bckohan/django-render-static/actions/workflows/test.yml/badge.svg?branch=main
+    :target: https://github.com/bckohan/django-render-static/actions/workflows/test.yml?query=branch:master
+    :alt: Test Status
+
+  .. image:: https://github.com/bckohan/django-render-static/actions/workflows/lint.yml/badge.svg?branch=main
+    :target: https://github.com/bckohan/django-render-static/actions/workflows/lint.yml?query=branch:master
+    :alt: Lint Status
+
+  .. image:: https://img.shields.io/badge/Published%20on-Django%20Packages-0c3c26
+    :target: https://djangopackages.org/packages/p/django-render-static/
+    :alt: Published on Django Packages
 
 Use Django's template engines to render static files that are collected during the
 :django-admin:`collectstatic` routine and likely served above Django at runtime. Files rendered by
diff --git a/justfile b/justfile
index 7c19762..8312d06 100644
--- a/justfile
+++ b/justfile
@@ -93,17 +93,17 @@ clean: clean-docs clean-git-ignored clean-env
 
 # build html documentation
 build-docs-html:
-    @just run --group docs --all-extras --isolated --exact sphinx-build --fresh-env --builder html --doctree-dir ./doc/build/doctrees ./doc/source ./doc/build/html
+    @just run --no-default-groups --group docs --all-extras --isolated --exact sphinx-build --fresh-env --builder html --doctree-dir ./doc/build/doctrees ./doc/source ./doc/build/html
 
 [script]
 _open-pdf-docs:
     import webbrowser
     from pathlib import Path
-    webbrowser.open(f"file://{Path('./doc/build/pdf/django-render-static.pdf').absolute()}")
+    webbrowser.open(f"file://{Path('./doc/build/pdf/djangorenderstatic.pdf').absolute()}")
 
 # build pdf documentation
 build-docs-pdf:
-    @just run --group docs --all-extras --isolated --exact sphinx-build --fresh-env --builder latex --doctree-dir ./doc/build/doctrees ./doc/source ./doc/build/pdf
+    @just run --no-default-groups --group docs --all-extras --isolated --exact sphinx-build --fresh-env --builder latex --doctree-dir ./doc/build/doctrees ./doc/source ./doc/build/pdf
     make -C ./doc/build/pdf
     @just _open-pdf-docs